Tuesday, 13 May 2014

Public service told to better protect personal data

Commissioner Billy Hawkes
cites example of man whose data was accessed by ex-wife working in Department
of Social Protection

Irish Times , Monday 12th May 2014

Action is needed to tackle
deficiencies in how the public service protects the personal data of citizens
before such action is triggered by a “crisis”, the Data Protection Commissioner
has said.

Billy Hawkes
was speaking today on the publication of his annual report for 2013, which is
his final annual report in the office. He retires in August.

Mr Hawkes highlighted a number
of issues of concern and said his audits of State organisations had “in too
many cases, shown scant regard by senior management to their duty to safeguard
the personal data entrusted to them – a duty that is all the greater because of
the legal obligation to provide such personal data to the State”.

Laudable objectives such as
fraud prevention and greater efficiency must meet a test of proportionality in
the manner in which data is used.”

In one case study published in
the report, his office received a complaint from a man concerned about
inappropriate access to his details by an employee of the Department of Social
Protection– namely his ex wife.

There were 12 instances of
unauthorised access to his records between February 2004 and July 2009. An
investigation was carried out by the department and the matter was referred to
the HR division for possible action under the Civil Service Disciplinary Code.

Mr Hawkes said once again this
case highlighted “the unacceptable practice by some individuals of snooping
through official records for personal reasons unconnected with their official
duties”. Taking no action against individuals caught in engaging in such
activity was “not acceptable” and it should be clear to all users there there
were “serious negative consequences” for unauthorised access to personal
information for unofficial purposes.

“Varying degrees of personal
information relating to every citizen in the State is held on databases within
Government Departments and officials who have access to this information to
conduct their official duties are entrusted to access and use that information
in accordance with the requirements of their functions,” he said.

“Straying beyond the
boundaries of their official duties in terms of accessing personal records
amounts to unlawful activity by the individuals concerned. For that reason, it
is critical that data controllers, such as a Government Department in this
case, have robust disciplinary policies in place to deal with any breaches.”

Mr Hawkes told The Irish
Times he believed “the State system in general is not paying sufficient
attention to its responsibilities for the quantum of data it holds on all of
us”.

“I suppose if I had a parting
wish as Data Protection Commissioner it is that there would be system-wide
action taken on data protection – that would be the responsibility of the Department of
Public Expenditure and Reform - rather than have it triggered by a
crisis, which I think is inevitable unless action is taken.”

In relation to the audit of
the An Garda Síochana Pulse system, which was published earlier in the year, Mr
Hawkes recommended in his report that the force should have a dedicated data
protection unit.

He said he expected the force
to now “actively enforce” the terms of a directive from headquarters and to
take “strong and appropriate disciplinary action against any persons abusing
their access to Pulse and prosecutions against any person found to be using
such access for gain”.

He also expressed concern
about the use for criminal purposes of the fingerprints of individuals who were
required to provide such prints in connection with applications for asylum,
visas and residence.

In his report, Mr Hawkes said
the debate resulting from the revelations last year by the former NSA
contractor Edward Snowden
of the extent of access by US and European intelligence agencies to personal
data had “thrown a welcome spotlight on the general issue of state access to
personal data”.

A recent decision by the Court
of Justice of the European Union
to invalidate the EU Data Retention Directive relating to phone and internet
data had “clearly set out the need for proportionality in this area”.

“The CJEU judgment also shows
the importance of challenging such privacy-destroying measures, as was done in
this case by Digital Rights Ireland,
supported by the Irish Human
Rights Commission. ”